I need to sniff packets from a very busy proxy server (both interfaces, internal and external). What is worse, I will need to sniff for a day, maybe several days. Because of this I need a very precise filter. As a display filter it would look like this:
http contains someurl or ip.addr eq 184.108.40.206/24
or more slightly complex
(ip.dst eq 10.0.0.1 and http contain someurl) or ip.addr eq 220.127.116.11/24
The problem is obviously the "http contains someurl" part. This part is vital, as it will change 50 Mbps of traffic to only, say, 20 MB per day.
Any solution will do. Tshark, dumpcap, the GUI. I was thinking of something similar to this:
``From Jefferson Ogata via the tcpdump-workers mailing list.
asked 27 Mar '14, 05:09
You can't do that with a 'simple' capture filter. You can try to use the capture filter generator, but the resulting filter might not work in all cases!!
Just take a look a the default sample and the generated capture filter. Duh....
Here is my suggestion: use ngrep
ngrep will write all frames that meet the search criteria to /var/tmp/http.pcap. It will not write the whole tcp stream, which is obvious!
There is also a Windows version of ngrep (please google/bing it).
answered 27 Mar '14, 11:42
Kurt Knochner ♦